NVD MCP Server

search_cves

Search the NVD for CVEs by keyword, severity, CPE, CWE, KEV status, or date range, and retrieve detailed vulnerability data including CVSS scores and references.

Instructions

Search the National Vulnerability Database (NVD) for CVEs matching the given filters.

Returns a JSON string with pagination info and a list of matching CVEs, each containing: id, published date, status, English description, CVSS score, CWE weaknesses, top 5 references, and CISA KEV data if applicable.

Performance guidance:

Keep results_per_page at 5–10 to avoid slow responses.
When filtering by date, limit the window to 30 days or less.
Broad severity or keyword queries without a date range can be slow; add pub_start_date / pub_end_date or last_mod_start_date / last_mod_end_date to speed them up.

Mutually exclusive groups (enforced by validation):

cvssV2Metrics / cvssV3Metrics / cvssV4Metrics: use at most one
cvssV2Severity / cvssV3Severity / cvssV4Severity: use at most one
isVulnerable requires cpeName and excludes virtualMatchString
version range params (versionStart/End) require virtualMatchString

Input Schema

TableJSON Schema

Name	Required	Description	Default
`request`	Yes	Pydantic model for request params validation. Please note, as of July 2022, the NVD no longer generates new information for CVSS v2. Existing CVSS v2 information will remain in the database but the NVD will no longer actively populate CVSS v2 for new CVEs. NVD analysts will continue to use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, information related to CVSS v3.1, CWE, and CPE Applicability statements. The CVE API returns four primary objects in the response body that are used for pagination: resultsPerPage, startIndex, totalResults, and vulnerabilities. totalResults indicates the total number of CVE records that match the request parameters. If the value of totalResults is greater than the value of resultsPerPage, there are more records than could be returned by a single API response and additional requests must update the startIndex to get the remaining records. The best, most efficient, practice for keeping up to date with the NVD is to use the date range parameters to request only the CVEs that have been modified since your last request. If filtering by `isVulnerable`, `cpeName` is required. Please note, `virtualMatchString` is not accepted in requests that use `isVulnerable`.

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Tool Definition Quality

A4/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden. It discloses performance implications (e.g., slow queries without date ranges), mutual exclusivity constraints, and the return format (JSON with pagination). It does not cover authentication or rate limits, but for a search tool, the transparency is good.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured: an introductory sentence, return value summary, performance guidance, and mutual exclusivity rules. Every sentence serves a purpose and is front-loaded. Despite being relatively long, there is no redundancy or fluff.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

The description covers the main behavior (search, pagination, key fields), but lacks details on error handling, rate limits, or authentication. Given the complexity of the tool (many parameters, nested schemas), the description is nearly complete, especially with the output schema existing.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so parameters are already well-documented. The description adds value beyond the schema by summarizing performance guidelines and mutually exclusive groups, which helps agents combine parameters correctly. The 'Mutually exclusive groups' section is particularly useful for avoiding invalid combinations.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Search the National Vulnerability Database (NVD) for CVEs matching the given filters.' It specifies the verb (search), resource (CVEs), and source (NVD). The return structure is also described, making the purpose unambiguous.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

While the description provides performance guidance and lists mutually exclusive parameter groups, it does not mention when to use this tool over its sibling 'search_cve_history'. There is no explicit guidance on tool selection or when not to use this tool, which is a significant gap given the sibling exists.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Alig1493/nvd-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server